projects / project / fwtool.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix possible copy of null buffer and validation of unitialized header
[project/fwtool.git] / fwtool.c
1 /*
2 * Copyright (C) 2016 Felix Fietkau <nbd@nbd.name>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2
6 * as published by the Free Software Foundation
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 */
13 #include <sys/types.h>
14 #include <stdio.h>
15 #include <getopt.h>
16 #include <stdbool.h>
17 #include <stdlib.h>
18 #include <string.h>
19 #include <unistd.h>
20
21 #include "fwimage.h"
22 #include "utils.h"
23 #include "crc32.h"
24
25 #define METADATA_MAXLEN 30 * 1024
26 #define SIGNATURE_MAXLEN 1 * 1024
27
28 #define BUFLEN (METADATA_MAXLEN + SIGNATURE_MAXLEN + 1024)
29
30 enum {
31 MODE_DEFAULT = -1,
32 MODE_EXTRACT = 0,
33 MODE_APPEND = 1,
34 };
35
36 struct data_buf {
37 char *cur;
38 char *prev;
39 int cur_len;
40 int file_len;
41 };
42
43 static FILE *signature_file, *metadata_file, *firmware_file;
44 static int file_mode = MODE_DEFAULT;
45 static bool truncate_file;
46 static bool write_truncated;
47 static bool quiet = false;
48
49 static uint32_t crc_table[256];
50
51 #define msg(...) \
52 do { \
53 if (!quiet) \
54 fprintf(stderr, __VA_ARGS__); \
55 } while (0)
56
57 static int
58 usage(const char *progname)
59 {
60 fprintf(stderr, "Usage: %s <options> <firmware>\n"
61 "\n"
62 "Options:\n"
63 " -S <file>: Append signature file to firmware image\n"
64 " -I <file>: Append metadata file to firmware image\n"
65 " -s <file>: Extract signature file from firmware image\n"
66 " -i <file>: Extract metadata file from firmware image\n"
67 " -t: Remove extracted chunks from firmare image (using -s, -i)\n"
68 " -T: Output firmware image without extracted chunks to stdout (using -s, -i)\n"
69 " -q: Quiet (suppress error messages)\n"
70 "\n", progname);
71 return 1;
72 }
73
74 static FILE *
75 open_file(const char *name, bool write)
76 {
77 FILE *ret;
78
79 if (!strcmp(name, "-"))
80 return write ? stdout : stdin;
81
82 ret = fopen(name, write ? "w" : "r+");
83 if (!ret && !write)
84 ret = fopen(name, "r");
85
86 return ret;
87 }
88
89 static int
90 set_file(FILE **file, const char *name, int mode)
91 {
92 if (file_mode < 0)
93 file_mode = mode;
94 else if (file_mode != mode) {
95 msg("Error: mixing appending and extracting data is not supported\n");
96 return 1;
97 }
98
99 if (*file) {
100 msg("Error: the same append/extract option cannot be used multiple times\n");
101 return 1;
102 }
103
104 *file = open_file(name, mode == MODE_EXTRACT);
105 return !*file;
106 }
107
108 static void
109 trailer_update_crc(struct fwimage_trailer *tr, void *buf, int len)
110 {
111 tr->crc32 = cpu_to_be32(crc32_block(be32_to_cpu(tr->crc32), buf, len, crc_table));
112 }
113
114 static int
115 append_data(FILE *in, FILE *out, struct fwimage_trailer *tr, int maxlen)
116 {
117 while (1) {
118 char buf[512];
119 int len;
120
121 len = fread(buf, 1, sizeof(buf), in);
122 if (!len)
123 break;
124
125 maxlen -= len;
126 if (maxlen < 0)
127 return 1;
128
129 tr->size += len;
130 trailer_update_crc(tr, buf, len);
131 fwrite(buf, len, 1, out);
132 }
133
134 return 0;
135 }
136
137 static void
138 append_trailer(FILE *out, struct fwimage_trailer *tr)
139 {
140 tr->size = cpu_to_be32(tr->size);
141 fwrite(tr, sizeof(*tr), 1, out);
142 trailer_update_crc(tr, tr, sizeof(*tr));
143 }
144
145 static int
146 add_metadata(struct fwimage_trailer *tr)
147 {
148 struct fwimage_header hdr = {};
149
150 tr->type = FWIMAGE_INFO;
151 tr->size = sizeof(hdr) + sizeof(*tr);
152
153 trailer_update_crc(tr, &hdr, sizeof(hdr));
154 fwrite(&hdr, sizeof(hdr), 1, firmware_file);
155
156 if (append_data(metadata_file, firmware_file, tr, METADATA_MAXLEN))
157 return 1;
158
159 append_trailer(firmware_file, tr);
160
161 return 0;
162 }
163
164 static int
165 add_signature(struct fwimage_trailer *tr)
166 {
167 if (!signature_file)
168 return 0;
169
170 tr->type = FWIMAGE_SIGNATURE;
171 tr->size = sizeof(*tr);
172
173 if (append_data(signature_file, firmware_file, tr, SIGNATURE_MAXLEN))
174 return 1;
175
176 append_trailer(firmware_file, tr);
177
178 return 0;
179 }
180
181 static int
182 add_data(const char *name)
183 {
184 struct fwimage_trailer tr = {
185 .magic = cpu_to_be32(FWIMAGE_MAGIC),
186 .crc32 = ~0,
187 };
188 int file_len = 0;
189 int ret = 0;
190
191 firmware_file = fopen(name, "r+");
192 if (!firmware_file) {
193 msg("Failed to open firmware file\n");
194 return 1;
195 }
196
197 while (1) {
198 char buf[512];
199 int len;
200
201 len = fread(buf, 1, sizeof(buf), firmware_file);
202 if (!len)
203 break;
204
205 file_len += len;
206 trailer_update_crc(&tr, buf, len);
207 }
208
209 if (metadata_file)
210 ret = add_metadata(&tr);
211 else if (signature_file)
212 ret = add_signature(&tr);
213
214 if (ret) {
215 fflush(firmware_file);
216 ret = ftruncate(fileno(firmware_file), file_len);
217 if (ret < 0)
218 msg("Error during ftruncate: %m\n");
219 }
220
221 return ret;
222 }
223
224 static void
225 remove_tail(struct data_buf *dbuf, int len)
226 {
227 dbuf->cur_len -= len;
228 dbuf->file_len -= len;
229
230 if (dbuf->cur_len)
231 return;
232
233 free(dbuf->cur);
234 dbuf->cur = dbuf->prev;
235 dbuf->prev = NULL;
236 dbuf->cur_len = BUFLEN;
237 }
238
239 static int
240 extract_tail(struct data_buf *dbuf, void *dest, int len)
241 {
242 int cur_len = dbuf->cur_len;
243
244 if (!dbuf->cur)
245 return 1;
246
247 if (cur_len >= len)
248 cur_len = len;
249
250 memcpy(dest + (len - cur_len), dbuf->cur + dbuf->cur_len - cur_len, cur_len);
251 remove_tail(dbuf, cur_len);
252
253 cur_len = len - cur_len;
254 if (cur_len < 0 || !dbuf->cur)
255 return 1;
256
257 memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
258 remove_tail(dbuf, cur_len);
259
260 return 0;
261 }
262
263 static uint32_t
264 tail_crc32(struct data_buf *dbuf, uint32_t crc32)
265 {
266 if (dbuf->prev)
267 crc32 = crc32_block(crc32, dbuf->prev, BUFLEN, crc_table);
268
269 return crc32_block(crc32, dbuf->cur, dbuf->cur_len, crc_table);
270 }
271
272 static int
273 validate_metadata(struct fwimage_header *hdr, int data_len)
274 {
275 if (hdr->version != 0)
276 return 1;
277 return 0;
278 }
279
280 static int
281 extract_data(const char *name)
282 {
283 struct fwimage_header *hdr;
284 struct fwimage_trailer tr;
285 struct data_buf dbuf = {};
286 uint32_t crc32 = ~0;
287 int data_len = 0;
288 int ret = 1;
289 void *buf;
290 bool metadata_keep = false;
291
292 firmware_file = open_file(name, false);
293 if (!firmware_file) {
294 msg("Failed to open firmware file\n");
295 return 1;
296 }
297
298 if (truncate_file && firmware_file == stdin) {
299 msg("Cannot truncate file when reading from stdin\n");
300 return 1;
301 }
302
303 buf = malloc(BUFLEN);
304 if (!buf)
305 return 1;
306
307 do {
308 char *tmp = dbuf.cur;
309
310 if (write_truncated && dbuf.prev)
311 fwrite(dbuf.prev, 1, BUFLEN, stdout);
312
313 dbuf.cur = dbuf.prev;
314 dbuf.prev = tmp;
315
316 if (dbuf.cur)
317 crc32 = crc32_block(crc32, dbuf.cur, BUFLEN, crc_table);
318 else
319 dbuf.cur = malloc(BUFLEN);
320
321 if (!dbuf.cur)
322 goto out;
323
324 dbuf.cur_len = fread(dbuf.cur, 1, BUFLEN, firmware_file);
325 dbuf.file_len += dbuf.cur_len;
326 } while (dbuf.cur_len == BUFLEN);
327
328 while (1) {
329
330 if (extract_tail(&dbuf, &tr, sizeof(tr))) {
331 msg("unable to extract trailer header\n");
332 break;
333 }
334
335 if (tr.magic != cpu_to_be32(FWIMAGE_MAGIC)) {
336 msg("Data not found\n");
337 metadata_keep = true;
338 break;
339 }
340
341 data_len = be32_to_cpu(tr.size) - sizeof(tr);
342
343 if (be32_to_cpu(tr.crc32) != tail_crc32(&dbuf, crc32)) {
344 msg("CRC error\n");
345 break;
346 }
347
348 if (data_len > BUFLEN) {
349 msg("Size error\n");
350 break;
351 }
352
353 if (extract_tail(&dbuf, buf, data_len)) {
354 msg("unable to extract trailer data\n");
355 break;
356 }
357
358 if (tr.type == FWIMAGE_SIGNATURE) {
359 if (!signature_file)
360 continue;
361 fwrite(buf, data_len, 1, signature_file);
362 ret = 0;
363 break;
364 } else if (tr.type == FWIMAGE_INFO) {
365 if (!metadata_file) {
366 dbuf.file_len += data_len + sizeof(tr);
367 metadata_keep = true;
368 break;
369 }
370
371 hdr = buf;
372 data_len -= sizeof(*hdr);
373 if (validate_metadata(hdr, data_len))
374 continue;
375
376 fwrite(hdr + 1, data_len, 1, metadata_file);
377 ret = 0;
378 break;
379 } else {
380 continue;
381 }
382 }
383
384 if (!ret && truncate_file) {
385 ret = ftruncate(fileno(firmware_file), dbuf.file_len);
386 if (ret < 0) {
387 msg("Error during ftruncate: %m\n");
388 goto out;
389 }
390 }
391
392 if (write_truncated) {
393 if (dbuf.prev)
394 fwrite(dbuf.prev, 1, BUFLEN, stdout);
395 if (dbuf.cur)
396 fwrite(dbuf.cur, 1, dbuf.cur_len, stdout);
397 if (metadata_keep) {
398 fwrite(buf, data_len, 1, stdout);
399 fwrite(&tr, sizeof(tr), 1, stdout);
400 }
401 }
402
403 out:
404 free(buf);
405 free(dbuf.cur);
406 free(dbuf.prev);
407 return ret;
408 }
409
410 static void cleanup(void)
411 {
412 if (signature_file)
413 fclose(signature_file);
414 if (metadata_file)
415 fclose(metadata_file);
416 if (firmware_file)
417 fclose(firmware_file);
418 }
419
420 int main(int argc, char **argv)
421 {
422 const char *progname = argv[0];
423 int ret, ch;
424
425 crc32_filltable(crc_table);
426
427 while ((ch = getopt(argc, argv, "i:I:qs:S:tT")) != -1) {
428 ret = 0;
429 switch(ch) {
430 case 'S':
431 ret = set_file(&signature_file, optarg, MODE_APPEND);
432 break;
433 case 'I':
434 ret = set_file(&metadata_file, optarg, MODE_APPEND);
435 break;
436 case 's':
437 ret = set_file(&signature_file, optarg, MODE_EXTRACT);
438 break;
439 case 'i':
440 ret = set_file(&metadata_file, optarg, MODE_EXTRACT);
441 break;
442 case 't':
443 truncate_file = true;
444 break;
445 case 'T':
446 write_truncated = true;
447 break;
448 case 'q':
449 quiet = true;
450 break;
451 }
452
453 if (ret)
454 goto out;
455 }
456
457 if (optind >= argc) {
458 ret = usage(progname);
459 goto out;
460 }
461
462 if (file_mode == MODE_DEFAULT) {
463 ret = usage(progname);
464 goto out;
465 }
466
467 if (signature_file && metadata_file) {
468 msg("Cannot append/extract metadata and signature in one run\n");
469 return 1;
470 }
471
472 if (file_mode)
473 ret = add_data(argv[optind]);
474 else
475 ret = extract_data(argv[optind]);
476
477 out:
478 cleanup();
479 return ret;
480 }
Utility for appending and extracting firmware metadata and signatures